System-Based Model Example

The system-based model may be ideal for agencies that already have an automated identity

management system. The sections below summarize the roles, components, and processes of a typical system-based model.

2.3.3.1 System Based Roles

The PIV system-based identity proofing process defines the following roles:

• Applicant

• Employer/Sponsor

• Approval Authority

• Enrollment Official

• Issuing Authority (Issuer)

The Applicant is the individual to whom a PIV card will be issued once the PIV Registrar approves the application and the appropriate background checks have taken place. The Applicant must appear in person to the Employer/Sponsor or the Approval Authority or the Issuing Authority at least once prior to issuance of a PIV card.

In support of the application process, the Applicant should complete the following activities:

• Complete an SF 85 or equivalent

• Present two forms of identification from the list of acceptable documents listed on I-9, OMB No. 1115-0136, Employment Eligibility

The Employer/Sponsor is the individual who validates an Applicant’s requirement for a PIV card and authorizes the Applicant’s request.

The Employer/Sponsor should meet the following minimum standards:

• Be a government official and be authorized in writing by the agency to request a PIV card

• Have valid justification for requesting a PIV card for an Applicant

• Be in a position of responsibility for the agency and defined as such by the agency

• Have already been issued a valid PIV card

• Have successfully completed the Federal PIV Sponsor roles and responsibilities training module

The Enrollment Official is the individual, who initiates the chain of trust for identity proofing and

validate the identity-source documentation. The Enrollment Official delivers a secured enrollment package to the IDMS for adjudication.

The PIV Enrollment Official should meet the following minimum standards:

• Be a government official and be designated in writing as a PIV Enrollment Official

• Be able to assess the reasonableness of the Applicant’s identity-proofing documents.

Reasonableness in this context indicates that the PIV Enrollment Official is trained to detect any improprieties in the Applicant’s identity-proofing documents

• Be able to evaluate whether a PIV application is satisfactory and apply agency-specific processes to an unsatisfactory PIV application. Thus, the PIV Enrollment Official needs training on agency processes and procedures for adjudicating an unsatisfactory PIV application

• Have successfully completed the PIV Enrollment Official roles and responsibilities training module

The Approval Authority establishes the organizational chain of command within the IDMS. This individual also manages the scope of the chain of trust between the enrollment process, the IDMS, card production and activation. This individual manages the entire IDMS and is also responsible for designating those individuals who will perform the duties of the Employer/Sponsor. Additionally, the Approval Authority should make sure that no single individual/role has the capability to issue a card without the participation of another individual and that there are at least two different individuals participating in the process at all times. The Approval Authority should be responsible for validating and auditing all of the checks that are conducted by the IDMS.

The Approval Authority should meet the following minimum standards:

• Be a government official and be designated in writing as an Approval Authority

• Be in a position of responsibility for the agency and defined as such by the agency

• Have already been issued a valid PIV card

• Have successfully completed the Federal Approval Authority roles and responsibilities training module

The Issuing Authority (Issuer) is the individual or entity who activates and issues a PIV card to an Applicant following the positive completion of all identity proofing, background checks, and related approvals. The Issuing Authority is responsible for ensuring that a one-to-one biometric check of the Applicant’s enrolled fingerprint biometric image matches the fingerprint image at card issuance.

The Issuing Authority should meet the following minimum standards:

• Designated in writing as a PIV Issuing Authority. If performed by a non government official the individual must be designated to perform this role by a government official within the agency and be designated in writing as an Issuing Authority

• Have successfully completed the Issuing Authority roles and responsibilities Training module

2.3.3.2 Components

Certain components are associated with the system-based model. These components automate some of the tasks that are completed manually in the role-based model. A description of these components follows.

The Approval Authority maintains the IDMS. The IDMS contains records, including all

documentation for all issued PIV cards. The IDMS is generally a collection of databases and interfaces that work together to perform the various functions described below. Some examples of components associated with the IDMS include a biometrics data repository, an account management function, a card management system, and a PKI infrastructure. The IDMS is typically just one part of an

integrated identity management solution. The card management system within the IDMS should track the status of a PIV card throughout its entire lifecycle, including the production-request, personalization and printing, activation and issuance, suspension, revocation, and destruction phases. Additionally, the IDMS performs the identity proofing, verification, and validation of an Applicant prior to PIV issuance.

The biometric database within the IDMS has the capability to do a one-to-many fingerprint biometric search on all Applicants in the system to ensure that no Applicants have already been issued a PIV card and are requesting additional PIV cards fraudulently. In accordance with HSPD-11,⁶ the IDMS will have the capability to conduct identity verification and validation processes using government-wide databases and services. In addition, the IDMS should provide the following services:

• Notify Applicants of the status of or be available to be queried by the applicant for their PIV requests. Applicants should not be able to query the IDMS directly

• Notify the Employer/Sponsor of or be available to be queried by the Employer/Sponsor for the PIV request

• Notify or be available to be queried by the Employers/Sponsors, Approval Authorities, and Issuing Authorities to see if a credential is still valid

The IDMS should contain all data records and be responsible for providing the Applicant’s data record that will be used by the Card Production and Personalization system. The IDMS should provide the card personalization information via secure means.

The Enrollment System initiates the chain of trust for identity proofing by confirming employer sponsorship, validating identity documentation, binding Applicants to their biometric data, and validating identity documentation. The enrollment system provides the IDMS with all of the identity documentation and forms that an Applicant completes prior to PIV card issuance. Although not defined in FIPS 201, agencies will have to establish an Enrollment Official to be responsible for operating the enrollment system. Because this individual will have access to Applicants’ personal information and biometric data, the Enrollment Official should be properly vetted and be trained to operate the enrollment system.

The Card Production and Personalization System personalizes and prints PIV credentials after the IDMS has approved such actions. Additionally, the IDMS should provide the following services:

• Maintain full inventory control of blank card stock, consumables, and manufacturing materials

• Maintain a list of IDMSs that can submit PIV requests for card production

• Maintain a list of Issuing Authorities that can activate and issue PIV cards

• Provide electronic acknowledgement of IDMS requests for PIV card production

• Notify the IDMS of successful/unsuccessful production of a PIV card

• Allow only approved individuals to access an Applicant’s card personalization information

These systems are essential in maintaining the chain of trust. Therefore, for each of the systems listed above, there should be a documented business process, a security evaluation, and a security policy.

2.3.3.3 Issuance Steps

This section describes the requirements for the system-based identity-proofing and registration process defined in FIPS 201. Agencies can implement more stringent requirements as long as they follow the minimum requirements defined below. All actions taken and systems associated with those actions should be auditable and secure.

1. Employers/Sponsors are pre-registered in the IDMS

2. The Applicant provides a formal PIV request and a minimum of two forms of acceptable identity documentation from I-9, OMB No. 1115-0136, Employment Eligibility to the

Employer/Sponsor. At least one of the documents must be a valid picture ID issued by a state or by the Federal Government.

3. The Employer/Sponsor approves the request.

4. The Applicant appears for enrollment and provides the same documentation as provided to the Employer/Sponsor. The Applicant consents to enrollment and collection of demographic and biometric information for vetting and proofing identity and conducting background checks for the purpose of issuing a PIV card.

5. The Applicant’s identity documents are inspected and verified. If available, an electronic method should be used to check the validity of the identity documents.

6. The Employer/Sponsor’s approval is verified.

7. Fingerprints and a photograph of the Applicant are taken. The fingerprints and photograph must meet the standards defined in Sections 4.1.1.1.1 and 4.4of this document.

8. The Applicant’s supporting documents are scanned into the system electronically.

9. The Applicant’s completed electronic enrollment package (scanned documents, biometric samples, and digital photograph) are digitally signed and forwarded to the IDMS.

10. The IDMS verifies the integrity of the enrollment package by confirming completeness and accuracy and that the digital signature is valid.

11. The IDMS confirms that the Employer/Sponsor is valid and approved the request.

12. The IDMS performs a one-to-many fingerprint biometric search to ensure that the Applicant is not already enrolled in the system.

13. The IDMS performs appropriate identity verification and validation through government-wide databases in accordance with HSPD-11 (HSPD-11 can be found at the following location, http://www.whitehouse.gov/news/releases/2004/08/print/20040827-7.html).

14. Once the IDMS has successfully completed steps 10–13, the Approval Authority approves card production for the Applicant.

15. The IDMS sends the information necessary for card personalization to the card production and personalization system.

16. The card production and personalization system personalizes and prints the PIV card.

17. Prior to issuing the PIV card to the Applicant, a one-to-one fingerprint biometric check is conducted against the IDMS record to ensure that the person who was enrolled in the system is the same individual being issued the PIV card.

18. The Issuer activates the PIV card.